RODC Post-Installation Configuration

  • Article

Applies To: Windows Server 2008, Windows Server 2012

This topic describes the following post-installation tasks for a read-only domain controller (RODC):

  • Install the global catalog and DNS server after the Active Directory Domain Services installation

  • Modify the DNS client settings of an RODC

  • Verify installation

Install the global catalog and DNS server after the Active Directory Domain Services installation

As a best practice, you should install the Domain Name System (DNS) server role and the global catalog during the installation of Active Directory Domain Services (AD DS). However, if you do not install the DNS server role and the global catalog, you can complete the following procedures to install them after the installation of AD DS. If you install DNS server after the AD DS installation, you must also enlist the RODC in the DNS application directory partitions. The RODC is not enlisted automatically in the DNS application directory partitions by design because it is a privileged operation. If the RODC were allowed to enlist itself, it would have permissions to add or remove other DNS servers that are enlisted in the application directory partitions.

For more information about how to add the global catalog to a domain controller, see Designate a Domain Controller to Be a Global Catalog Server (https://go.microsoft.com/fwlink/?LinkId=151965).

For more information about installing a DNS server, see Install a DNS Server (https://go.microsoft.com/fwlink/?LinkId=151966). If you install a DNS server after the installation of AD DS, enlist the RODC in the DNS application directory partitions.

To enlist a DNS server in a DNS application directory partition

  1. Open an elevated command prompt. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

  2. At the command prompt, type the following command, and then press ENTER:

    dnscmd <ServerName> /EnlistDirectoryPartition <FQDN>

For example, to enlist RODC01 in the forest-wide DNS application directory partition in a forest named contoso.com, type the following command:

dnscmd RODC01 /EnlistDirectoryPartition ForestDNSZones.contoso.com

To enlist RODC01 in the domain-wide DNS application directory partition in a domain named child.contoso.com, type the following command:

dnscmd RODC01 /EnlistDirectoryPartition DomainDNSZones.child.contoso.com

You might encounter the following error when you run this command:

Command failed: ERROR_DS_COULDNT_CONTACT_FSMO 8367 0x20AF

If this error appears, use NTDSUTIL to add the RODC for the partition to be replicated:

  1. ntdsutil

  2. partition management

  3. connections

  4. Connect to a writeable domain controller (not an RODC):

    connect to server <WriteableDC>.Child.contoso.com

  5. quit

  6. To enlist this server in the replication scope for this zone, run the following command:

    add NC Replica DC=DomainDNSZones,DC=Child, DC=Contoso,DC=Com <rodc Server>.Child.contoso.com

Modify the DNS client settings of an RODC

After your installation of the RODC is complete, we recommend that you modify the DNS client settings on the server. Before the installation of the RODC, you should have configured the DNS client settings so that the RODC points to a writeable Windows Server 2008 domain controller as its preferred DNS server. After the RODC is installed, the IP version 4 (IPv4) address of 127.0.0.1 and IP version 6 (IPv6) address of ::1 are inserted as additional DNS servers as the client DNS settings for the RODC. To ensure that the RODC uses its own DNS records when it resolves queries that originate on the RODC, change the value of Preferred DNS server to 127.0.0.1 for the IPv4 client DNS settings and ::1 for the IPv6 client DNS settings on the RODC. You can use Network Connections connection in Control Panel or the Netsh tool to change the IP address.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To change the preferred DNS server settings on the RODC by using Network Connections

  1. Log on to the RODC with an account that is a member of the local built-in Administrators group.

  2. Click Start. In Start Search, type ncpa.cpl, and then press ENTER. The Network Connections dialog box opens.

  3. Right-click the primary network interface ConnectionName (by default, this is named Local Area Connection) for the RODC, and then click Properties.

  4. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

  5. In Preferred DNS server, type the IP address 127.0.0.1.

  6. In Alternate DNS server, type the address of the alternate DNS server that you want to use—typically, the IP address of the nearest writeable domain controller.

  7. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click OK.

  8. Click Internet Protocol Version 6 (TCP/IPv6), and then click Properties.

  9. In Preferred DNS server, type ::1. If appropriate, in Alternate DNS server, type the IP address of an alternate DNS server, and then click OK.

  10. In the ConnectionName Properties dialog box, click Close.

To change the preferred DNS server settings on the RODC by using Netsh

  1. Log on to the RODC with an account that is a member of the local built-in Administrators group.

  2. Open a command prompt. To open a Command Prompt window, click Start, point to All Programs, click Accessories, and then click Command Prompt.

  3. Use the following command to set the preferred DNS server IP address:

    netsh interface ipv4|ipv6 set dnsserver name=”<ConnectionName>“ static 127.0.0.1

    For example, for the default connection name Local Area Connection, type netsh interface ipv4 set dnsserver name=”Local Area Connection” static 127.0.0.1, and then press ENTER. To set ::1 as the preferred DNS server for IPv6, type netsh interface IPv6 set dnsserver “Local Area Connection” static ::1, and then press ENTER.

  4. To enter an alternate DNS server, use the following command:

    netsh interface ipv4|ipv6 add dnsserver ”<ConnectionName>“ <IPAddress> Index=2.

    For example, if you want to configure an RODC by using the default connection with an alternate DNS server IPv4 address of 192.168.0.220, type netsh interface ipv4 add dnsserver ”Local Area Connection” 192.168.0.220 index=2, and then press ENTER.

    To configure fe80::260:97ff:fe02:6e8f as the alternate IPv6 DNS server, type netsh interface ipv6 add dnsserver ”Local Area Connection” fe80::260:97ff:fe02:6e8f index=2, and then press ENTER.

    • If you want to add additional DNS servers, you can increment the index number.

      For example, to add a third DNS server with an IPv4 address of 192.168.0.221, type netsh interface ipv4 add dnsserver ”Local Area Connection” static 192.168.0.221 index=3, and then press ENTER.

    • If you want to clear a specific DNS server from the list, you can use the command netsh interface ipv4|ipv6 delete dnsserver “<ConnectionName>” <IPAddress>.

      For example, to remove the IPv4 address 192.168.0.220 from the list of addresses in the Local Area Connection object, type netsh interface ipv4 delete dnsserver “Local Area Connection” 192.168.0.200, and then press ENTER.

    • You can clear the entire list of DNS server addresses by using the word all instead of typing an IP address.

      For example, to clear all the IPv4 addresses that are listed as DNS servers for Local Area Connection, type netsh interface ipv4 delete dnsserver “Local Area Connection” all, and then press ENTER.

Verify installation

After you have made final configuration adjustments, ensure that the domain controller is functioning properly. The quickest way to do this is to use the Dcdiag tool at a command prompt.

  • At a command prompt, type dcdiag /v, and then press ENTER.

    Review the command output for errors. As an alternative, you can use the command dcdiag /v > dctest.txt to output the diagnostic output to a text file named Dctest.txt. You can then use a text editor (for example, Notepad) to display the results. For example, run Notepad dctest.txt to open the file. If Notepad is not installed, you can view the file with the Type command. For example, to view the contents of the Dctest.txt file, run type dctest.txt |more, which displays one screen of text at a time from the file in a Command Prompt window. You can use SPACEBAR to advance through the file.

If you do not see any errors logged by Dcdiag, the domain controller should be functioning properly. If you do see errors, attempt to resolve the issues that you discover and look in the Event Viewer for additional troubleshooting information.